All Apps and Add-ons

Example of how to detect malware infections across multiple hosts?

sloshburch
Splunk Employee
Splunk Employee

Does anyone have examples of how to use Splunk to detect malware infections across multiple hosts?

0 Karma
1 Solution

sloshburch
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team helped produce this response. Read more about use case examples Splunk® Platform Use Cases on Splunk Docs.

Multiple, simultaneous viruses are a concern because they can indicate an exploit kit that tries several techniques where some succeed on a single host with multiple unrelated viruses. Prioritize these hosts and investigate them immediately to ensure nothing is missed.

This use case is from the Splunk Security Essentials app. For more examples, see the Splunk Security Essentials app on Splunkbase.

Load data

How to implement: With Symantec logs onboard, these searches should work easily. If you have a different anti-virus product, adapt the searches to the field names and source types for that product. Search on Splunkbase for a Splunk add-on that maps field names and source types to the Common Information Model.

Data check: This use case requires Symantec AV data.

Get insights

Find hosts that logged into multiple, different, and infected endpoints in a short period of time.

Use the following search:

index=* tag=malware tag=attack
| transaction maxpause=1h dest
| where eventcount>=3 AND duration>240
| table Occurrences, signature, Requested_Action, Actual_Action, Secondary_Action, ApplicationHash, HashType, dest, src, user, Confidence, Disposition, file_path, Prevalence, _time

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

How to respond: Use your malware response procedure.

Help

This search works with Symantec logs onboard. However, you can adapt it to work with a different anti-virus product by updating the field names and source types for that product. Search Splunkbase to find a Splunk Add-on that maps your product to the Common Information Model.

This search is for Symantec AV data. However, you can adapt it to work with other anit-virus products.

If no results appear, deploy the Add-ons to the search heads to access the knowledge objects necessary for simple searching. See About installing Splunk add-ons on Splunk Docs for assistance.

For more support, post a question to the Splunk Answers community.

View solution in original post

0 Karma

sloshburch
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team helped produce this response. Read more about use case examples Splunk® Platform Use Cases on Splunk Docs.

Multiple, simultaneous viruses are a concern because they can indicate an exploit kit that tries several techniques where some succeed on a single host with multiple unrelated viruses. Prioritize these hosts and investigate them immediately to ensure nothing is missed.

This use case is from the Splunk Security Essentials app. For more examples, see the Splunk Security Essentials app on Splunkbase.

Load data

How to implement: With Symantec logs onboard, these searches should work easily. If you have a different anti-virus product, adapt the searches to the field names and source types for that product. Search on Splunkbase for a Splunk add-on that maps field names and source types to the Common Information Model.

Data check: This use case requires Symantec AV data.

Get insights

Find hosts that logged into multiple, different, and infected endpoints in a short period of time.

Use the following search:

index=* tag=malware tag=attack
| transaction maxpause=1h dest
| where eventcount>=3 AND duration>240
| table Occurrences, signature, Requested_Action, Actual_Action, Secondary_Action, ApplicationHash, HashType, dest, src, user, Confidence, Disposition, file_path, Prevalence, _time

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

How to respond: Use your malware response procedure.

Help

This search works with Symantec logs onboard. However, you can adapt it to work with a different anti-virus product by updating the field names and source types for that product. Search Splunkbase to find a Splunk Add-on that maps your product to the Common Information Model.

This search is for Symantec AV data. However, you can adapt it to work with other anit-virus products.

If no results appear, deploy the Add-ons to the search heads to access the knowledge objects necessary for simple searching. See About installing Splunk add-ons on Splunk Docs for assistance.

For more support, post a question to the Splunk Answers community.

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...